Quake 3 Arena Buffer Overflow

08/20/2001

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at buffer overflows in Raytheon SilentRunner, Quake 3 Arena, elm, and a list of Lightweight Directory Access Protocol Servers; a temporary-file race condition in the Samsung ML-85G Linux printer driver; a new forms-based attack against Web browsers; problems in Arkeia, AdCycle, uncgip, the Red Hat util-linux package, and HP-UX's Login; and a race condition in the NetBSD kernel.

Arkeia, a multi-platform backup and recovery tool, has several problems that could lead to a remote root compromise. A combination of unencrypted communications between the GUI management tool and the backup agents and weak password encryption of the Arkeia password may allow access to the Arkeia account. Once the attacker has access to the Arkeia account, they have the ability to schedule an arbitrary command to be run before and after a backup. This command will be executed as root. To conduct this attack, the attacker must have the ability to sniff the traffic between the Arkeia GUI and one of its agents.

It is recommended that Arkeia be used through an encrypted tunnel created with a tool such as ssh.

Jochen Topf has written a paper that describes a new attack against some Web browsers that can be used to send data to arbitrary TCP ports. This can potentially be used by an attacker to make a Web browser send email, post news, delete email, send FTP commands, etc. If Javascript is enabled in the Web browser, it can be used to submit the form as soon as the page is viewed. If the Web browser is inside a firewall-protected network, this attack could be used to access other machines inside the network. Software that has been reported to be vulnerable to this attack includes Opera version 5 for Linux, Internet Explorer, Junkbuster, Lynx, Mozilla 0.9.1 (ports greater than 1024), and Netscape 4.77 for Linux (blocks some ports but not all).

Raytheon SilentRunner has multiple buffer overflows that can be exploited by an attacker to execute arbitrary code on the server or to cause a denial of service on the collector. SilentRunner is a network monitoring tool that passively collects data and then allows the data to be viewed from a central server. It has been reported that versions 1.61, 2.0, and 2.01 of SilentRunner are vulnerable.

A buffer overflow exists in Quake 3 Arena that can be used to crash the Quake server, and may be exploitable to execute arbitrary code with the permissions of the user executing the Quake server. It has been reported that Quake 3 Arena versions 1.29f and 1.29g are vulnerable.

AdCycle, a Web-based ad management system, does not properly check user input, allowing an attacker to insert SQL statements that will be parsed by the database server. Exploiting this vulnerability allows the attacker to bypass the administrator password.

Users of AdCycle should upgrade to version 1.16 or newer as soon as possible.

The Linux printer driver for the Samsung ML-85G printer creates its temporary files insecurely. This leaves the driver vulnerable to a race condition that can be exploited to gain root permissions on the system.

It is recommended that users remove the set user id bit from the printer driver until a patched version has been installed.

uncgi is a CGI application that is designed to make writing CGI applications easier by parsing the QUERY_STRING and placing the result into environmental variables. Versions of uncgi earlier than 1.10 would not check for relative directories (they would parse ../ as part of the URL), and would execute a script even if the script was not executable.

Users should upgrade to uncgi version 1.10 and should add the compile-time option of EXECUTABLES_ONLY when it is compiled.

The HP-UX login command can allow restricted shell users to execute unauthorized commands and break out of the restricted shell. This is reported to affect HP9000 series 700/800 machines with HP-UX 11.00, 11.11, and 10.20.

HP recommends that affected users apply the appropriate patch as soon as possible.

A race condition in NetBSD between the ptrace() system call and the set user id and set group id handling of the execve() system call can be exploited by a local attacker to execute arbitrary code with the permissions of the root user. NetBSD version 2.5.1 is not vulnerable.

Users of NetBSD-current should upgrade to a version dated June 15, 2001 or newer. Users of NetBSD 1.5 should upgrade to a version dated June 17, 2001 or newer. Users of NetBSD 1.4, 1.4.1, 1.4.2, and 1.4.3 should upgrade to a version dated July 19, 2001 or newer. Once the upgraded kernel source has been installed, the kernel should be rebuilt and installed, and then the system should be restarted.